Hackers target hotel room key-card security

Hackers have taken to the internet with a series of videos demonstrating how to compromise the information security within hotel room keycard locks

At the recent Black Hat security conference, Mozilla software developer Cody Brocious demonstrated a simple hack on locks from Onity, which owns 50% of the hospitality market, supplying more than 4 million locks in the US. The locks don’t encrypt their communications data, and the memory can be arbitrarily accessed, so it was a relatively easy process to tap in using a portable programmer – created with about $40 worth of commercially available hardware – to reverse-engineer the communications protocol.

Brocious’ hack was, however, successful only part of the time. And Onity was quick to seize on the lack of ubiquitous success, saying that it "understands the hacking methods to be unreliable, and complex to implement.”

Hackers seem to have been busy working on the kinks, as the videos show, seemingly taking Onity’s words as a challenge.

Onity did say that it was working on the issue. “To alleviate any concerns, we are developing a firmware upgrade for the affected lock-type,” it said. “The upgrade will be made available after thorough testing to address any potential security concerns that you may have."

The fixes, released this week, include a hardware cap that can prevent a portable programmer from being inserted in the first place, and a so-called “firmware” update that is actually just a new chip to replace the compromised silicon in the electronics of the lock. “For locks that have upgradable control boards, there may be a nominal fee,” the company said. “Shipping, handling and labor costs to install these boards will be the responsibility of the property owner.”

In both cases, intruders have an easy way to get around the obstacle. For the former, those with mal intent need only pop off the face of the lock to gain access – albeit a suspicious-looking activity. For the latter, the new chip can simply be reverse engineered again.

Brocious took to his blog to point out that the only way to truly fix the issue is by encrypting all communication data.